WO2022100861A1 - Device and method for classifying input data - Google Patents

Abstract

A computing device for classifying input data is disclosed. The computing device comprises a memory configured to store machine-readable instructions defining a neural network comprising one or more feature classification operations, and the computing device is configured to: receive input data; output the input data or a feature map representing the input data to a further computing device; receive, from the further computing device, a further feature map representing the input data; and perform one or more of the feature classification operations of the neural network defined in the memory on the further feature map representing the input data to obtain a classification prediction for the input data. The computing device may thereby utilise computing resource, such as processor capacity, of the further computing device.

Description

DEVICE AND METHOD FOR CLASSIFYING INPUT DATA

Technical Field

The embodiment of the invention relates to classifying input data. Aspects of the embodiment of the invention relate to a computing device for classifying input data and to a method for classifying input data using a computing device.

Background Embodiment of the invention

Deep neural network classifiers employ successive layers of computational operations to progressively extract features from input data and generate a classification prediction for the input data. Execution of these computational operations may disadvantageously demand a relatively great amount of computational resource, such as memory and processor capacity, and energy supply. Such high demands for computational resource may however be problematic, such as where the neural network is run on a computing device having relatively low computational resources, for example, a mobile computing device.

Summary

An objective of the embodiment of the invention is to provide a safe device and method for reducing the demand on the computational resources of a computing device running a neural network classifier.

The foregoing and other objectives are achieved by the features of the independent claims. Further implementation forms are apparent from the dependent claims, the description, and the Figures.

A first aspect of the embodiment of the invention provides a computing device (i.e. a first computing device) for classifying input data, the computing device comprising a memory configured to store machine-readable instructions defining a neural network comprising one or more feature classification operations, wherein the computing device is configured to: receive input data; output the input data or a feature map (i.e. a first feature map) representing the input data to a further computing device (i. e. a second computing device); receive, from the further computing device, a further feature map (i.e. a second feature map) representing the input data; and perform one or more of the feature classification operations of the neural network defined in the memory on the further feature map representing the input data to obtain a classification prediction for the input data.

The computing device is used for receiving input data, for example, input text, image, video, audio or sensor data. For example, the computing device may be a mobile computing device running application software configured to capture input data, such as image data via an onboard camera, and generate a classification prediction for characteristics of the input data, such as identification of a person in the image. The computing device outputs, e.g. transmits, the input data, or a feature map representing the input data, i.e. a structured but unclassified vector representation of the input data obtained in result of feature extraction or other processing operations performed on the input data, to the further computing device. The further computing device may be a remote computing device in communication with the computing device, for example, operating in a client-server relationship with the computing device via the internet.

Offloading the input data, or the feature map representing the input data, to the further computing device, may advantageously allow relatively resource consumptive feature extraction operations of the neural network, e.g. convolution operations, to be performed on the further computing device. This has the first advantage of conserving computational resource, such as processor capacity and energy budget, of the computing device, which may advantageously allow such computational resource of the computing device to be utilised for other operations, for example, for running other application software. Secondly, the operations of the neural network may benefit from computing resource, e.g. relatively higher processor capacity, available on the further computing device, which may advantageously allow faster execution of the neural network, or allow execution of a more complex and resource consumptive neural network.

However, a risk of exposure of confidential personal or system information, e.g. runnable code, executables, and configuration of the neural network, such as classification definitions, may exist in offloading operations of the neural network to the further computing device. This is a particular concern when the further computing device is operated by an untrusted third party, or where the data connection between the computing devices is insecure.

Considering a balance between protecting the privacy of information associated with the classification operations of the neural network, such as class definitions and classification predictions, and conserving limited computational resource of the computing device, it may be considered acceptable to offload certain operations of the neural network, e.g. feature extraction operations of the neural network to the further computing device. This acceptability arises because the inputs and outputs of feature extraction layers, i.e. feature maps, will typically contain only relatively anonymous information regarding local features of the data, e.g. edges, shapes or gradients, such that the risk associated with exposure of the offloaded data is relatively low. However, successively final, fully- connected layers, of the neural network may have as inputs composite and aggregated information from all preceding feature extraction layers. In particular, classification layers, i.e. layers of operations for inferring a class to the input data by reference to class definitions, may additionally have as inputs class definitions and other sensitive classification information, and will output classification predictions for the input data. All of these data items may be considered confidential, and it may thus be considered desirable to avoid sharing this information with an untrusted or insecure further computing device.

The embodiment of the invention thus provides for offloading feature extraction operations of the neural network, to a further computing device, e.g. a remote server, whilst retaining classification operations, on the computing device, e.g. a mobile computing device. The further computing device is thus only tasked with the offloaded operations, e.g. feature extraction operations; it receives only a feature map representing the input data from, and returns only a feature map representing the input data to, the computing device. The computing device may then perform classification operations of the neural network on the feature map locally, either directly using the feature map output by the further computing device or following further feature extraction operations (i.e. second feature extraction operations), by reference to locally stored class definition and other classification information. Consequently, certain confidential information, such as aggregated data from feature extraction operations, class definitions, classification predictions, and other classification information, is only required to be accessible by the computing device, and is not required to be shared with the further computing device.

The embodiment of the invention may thus advantageously result in improved performance of operations of the neural network, by reason of its utilising of computing resources, such as processor capacity of the further computing device. This may, for example, advantageously reduce the time to execute the neural network, or allow a complex, deep, neural network classifier, to be run on a computing device having relatively low computational resource. However, because classification operations remain on the computing device, e.g. the mobile computing device, rather than being offloaded to the further computing device, e.g. the remote server, the privacy of the classification predictions, class definitions and other confidential classification data, may desirably be maintained.

In an implementation, the computing device is further configured to generate a classification prediction for the input data by performing the one or more feature classification operations defined in the memory. A classification prediction may thus be obtained for the input data.

In an implementation, the memory is further configured to store machine-readable classification definitions, and the computing device is further configured to access one or more of the classification definitions stored in the memory, and generate the classification prediction for the input data by performing the one or more feature classification operations defined in the memory based on one or more of the machine-readable classification definitions stored in the memory.

The classification definitions define features of classifications relevant to infer a classification to input data. For example, in a task of identifying a person from an image, the classifications may index a person’s visual biometric information to their name. The classification definitions required for the classification task should be accessible to the first computing device. Storing the classification definitions in memory of the first computing device, i.e. local memory, may advantageously reduce latency in computations using the definitions, and further may advantageously reduce the risk of exposure of the classification definitions resulting from storage on untrusted remote memory or from interception of the definitions during transmission from remote memory to the first computing device.

In an implementation, the memory further stores one or more feature extraction operations, and the memory is further configured to store intermediate results of the neural network, and machine-readable rules defining: groups of one or more of the feature extraction and/or feature classification operations, each group having associated performance score representing a magnitude of a computational resource for computing the one or more operations of the group, and/or a privacy score representing a privacy risk associated with inputs, outputs or the operations of the group; an order for performance of the groups of the operations; and sources of operands for each group of operations in which operations of a first group in the order operate on the input data and operations of each subsequent group of operations in the order operate on one or more outputs of a preceding group of operations.

For example, each group may comprise operations of only a single layer of the neural network, such that effectively each layer of the neural network has associated therewith a performance and/or privacy score. As an alternative, each group may comprise plural consecutive layers of operations of the neural network, such that the plural layers of operations of the neural network have associated therewith a common performance and/or privacy score.

The performance score thus defines a magnitude of a computational resource required, for example, a computational processing, memory and/or energy requirement, for computing the one or more operations of the group. The performance score may thus be used for computing whether operations of the group may be executed by an available computational resource. In particular, the performance score may be used for determining whether groups may be successfully served by available computational resource of the computing device and/or the further computing device. The privacy score on the other hand quantifies a degree of detriment to privacy associated with exposure or other compromise of inputs and/or outputs, e.g. feature maps input or output by the operations of the group, e.g. runnable code, executables, configurations of the neural network, and/or class definitions used for classification. For example, the privacy score may be indicative of an ease of recoverability of the raw input data input into the neural network from a feature map output by the operations of the group. Altematively/additionally, the privacy score may be indicative of a perceived confidentiality of information such as class definitions, for example, personal biometric information, and/or model configurations, associated with the operations of the group.

The privacy score may, for example, be a manually determined value based on a subjective assessment of a perceived harm associated with exposure of the inputs/outputs/operations of the operations of the group. For example, where class definitions contain personal biometric information, the privacy score may indicate the highly confidential nature of this information by a correspondingly high score. As an example alternative, the privacy score may be an objective determination based, for example, on a statistical analysis of the recoverability of raw input data from intermediate results input/output by operations of the group.

In an implementation, the computing device is configured to determine a threshold performance score, determine a sum of performance scores associated with a set of one or more consecutive groups of the groups of the operations including a last group in the order, and compare the sum of performance scores associated with the set of one or more consecutive groups to the threshold performance score and determine if the sum of the performance scores is acceptable compared to the threshold performance score.

In other words, the computing device may compare the computational resource required for execution of operations of the set of consecutive groups of the operations to a threshold performance score, i.e. a threshold value of computational resource, and determine the relationship. For example, the threshold performance score may represent an available computational resource of the computing device, e.g. the mobile computing device, and this step may thus comprise comparing the computational resource demanded for executing operations of the set of one or more consecutive groups to the available computational resource of the first computing device. The threshold score may be constructed, for example, such that a Tower’ relationship of the sum of performance scores to the threshold performance score indicates an acceptable relationship. Thus, by this comparison, it may be determined whether the operations of the set of one or more consecutive groups can be executed on the computing device using the available computational resource of the computing device. This may thus allow for the operations of the set of one or more consecutive groups, including the last group in the order, to be retained for performance on the computing device, instead of being offloaded to the further computing device. The threshold performance score may, for example, be dynamically determined by real-time analysis of the available computational resource, e.g. processor/memory capacity, or may alternatively be a static pre-determined value.

For example, it may generally be desirable to minimise the number of operations, and so groups of operations, which are retained for execution on the computing device, i.e. it may be desirable to maximise the number of groups of operations which are offloaded to the further computing device, in order to conserve computational resource of the first computing device for usage by other applications running on the computing device. In this scenario, it may thus be desired that a threshold performance score, defining an upper bound of computational resource available for execution of operations of the neural network, is not exceeded by the computational resource demand of retained operations, i.e. operations of the set of one or more consecutive groups of operations.

In an implementation, the computing device is configured to determine a threshold privacy score, and compare one or more privacy scores associated with one or more groups of the set of one or more consecutive groups to the threshold privacy score and determine if a privacy score associated with one or more of the groups of the set of one or more consecutive groups is acceptable compared to the threshold privacy score.

The threshold privacy score may define an acceptable level of privacy risk, such that for example, a higher (or alternatively lower) privacy score indicates an unacceptable privacy risk. This operation may thus advantageously determine whether or not the set of one or more consecutive groups of operations present an acceptably low privacy risk compared to the threshold privacy score. The threshold privacy score may, for example, be a predetermined value. The privacy scores of each group of the set of one or more consecutive groups may be individually compared to the threshold privacy score, which may advantageously ensure that the privacy score of each group is acceptable. Comparing the privacy score of each group of the set of one or more groups to the threshold privacy score may however incur excessive computational cost and/or result in delay. As an alternative therefore, the privacy score of a subset of the groups may be checked, for example, a first and last group of the set of groups, from which a probability of the privacy scores of the other layers being acceptable may be inferred.

In an implementation, comparing one or more privacy scores associated with one or more groups of the set of one or more consecutive groups to the threshold privacy score and determining if a privacy score associated with one or more groups of the set of one or more consecutive groups is acceptable compared to the threshold privacy score comprises comparing a privacy score associated with each group of the set of one or more groups to the threshold privacy score and determining if the privacy score associated with each of the one or more groups of the set of one or more consecutive groups is acceptable compared to the threshold privacy score. Comparing a privacy score of each group to the threshold privacy score may desirably ensure that the privacy score of each group is considered acceptable, thereby reducing the level of privacy risk associated with the neural network.

In an implementation, comparing one or more privacy scores associated with one or more groups of the set of one or more consecutive groups to the threshold privacy score and determining if a privacy score associated with the one or more groups of the set of one or more consecutive groups is acceptable compared to the threshold privacy score comprises comparing privacy scores associated with a respective one of a first group and a last group in the set of one or more consecutive groups to the threshold privacy score and determining if the privacy scores associated with each of the first group and the last group of the set of one or more consecutive groups is acceptable compared to the threshold privacy score. In other words, the computing device may be configured to compare privacy scores of only a subset of the set of groups, including first and last groups of the set, to the threshold privacy score. For example, the method may comprise comparing privacy scores of only first and last groups of the set to the threshold privacy score. Inputs and outputs, e.g. feature maps, of a first group of the set are likely to present the greatest risk of recoverability of the input data of the neural network, e.g. an input image of a person, given that the input data has undergoing the fewest transformations at that point of the neural network. Conversely, inputs and outputs of a last group of the set may include highly confidential class definitions and classifications predictions respectively. The first and last groups of the set may thus likely represent the greatest privacy risk of any groups of the set. Accordingly, if the privacy scores of the first and last groups of the set are determined acceptable compared to the threshold privacy score, it may typically be safely assumed that privacy scores of intermediate groups of the set are also acceptable. Comparing privacy scores of only a subset of groups of the setto the threshold privacy score may advantageously reduce computational resource consumed in the comparison operations, as compared to comparing privacy scores of every one of the groups of the set.

In an implementation, the computing device is further configured to, in response to the sum of the performance scores associated with the set of one or more consecutive groups and/or the one or more privacy scores associated with one or more groups of the set of one or more consecutive groups being determined acceptable, flag operations of the one or more groups of the set for performance on the computing device. In other words, once it has been determined that the performance and/or privacy scores of the one or more groups of the set are acceptable compared to the respective threshold scores, the computing device may flag operations of those groups for execution on the computing device. Thus, the threshold performance score may represent a maximum available computational resource of the computing device, and on determining that the operations of the one or more groups may be served by that available computational resource, it can be determined that those operations may be performed on the computing device. The computing device may be configured to compare both of the performance score(s) and the privacy score(s) to the respective thresholds.

In an implementation, the computing device is further configured to, in response to the sum of the performance scores associated with the set of one or more consecutive groups and/or the privacy scores associated with one or more of the groups of the set of one or more consecutive groups being determined acceptable, perform operations of the one or more groups of the set of one or more consecutive groups. In other words, if it is determined that the performance score(s) and/or the privacy score(s) are acceptable compared to the respective thresholds, the flagged operations of the set of one or more groups are executed on the computing device.

In an implementation, the threshold performance score is representative of a computational processing capability of the computing device. The threshold performance score may advantageously thereby allow comparison of the computational requirement of operations of the set of one or more groups of operations to the processing capability of the computing device, to thereby allow determination of operations which may be retained for execution by the computing device.

In an implementation, the threshold performance score is a predetermined value stored in the memory. For example, the threshold performance score could be specified by the designer of the neural network based on the expected computational resource of the computing device and/or the further computing device. A predetermined value may advantageously be a relatively simple means of defining a computational capability of the respective computing devices. In particular, using a predetermined value may advantageously be relatively more robust and less susceptible to corruption than other methods of generating the threshold performance score, for example, dynamic generation of the score.

In an implementation, the computing device is further configured to determine the threshold performance score by evaluating a computational resource of the computing device. This may advantageously allow execution of the neural network to be adjusted to suit the particular computational capability of the computing device. For example, where the computing device has only a relatively low computational resource, e.g. low processor capacity, such that only a relatively low amount of computational resource of the computing device is available for execution of operations of the neural network, the threshold performance score may be lowered, such that only operations whose performance score sum is acceptably low are retained on the computing device. Determination of the threshold performance score by evaluating the computational capability of the computing device may thus allow for more optimal utilisation of computational resource of the computing device compared to a predetermined threshold performance score. In particular, determination of the threshold performance score by evaluation of the computational capability of the computing device may advantageously avoid: (a) under-utilising computational resource of the computing device, which may undesirably result in an excessively high level of offloading of operations, and consequently increase the risk to privacy of the neural network; and (b) avoid overloading the computing device with operations of the neural network for execution, which may undesirably result in excessive queuing of operations and so undesirably increase the time required for execution of the neural network.

In an implementation, the threshold privacy score is representative of a threshold privacy risk associated with inputs, outputs or operations of the groups of the operations. In other words, the threshold privacy score may quantify a degree of detriment to privacy associated with exposure or other compromise of inputs and/or outputs, e.g. intermediate results such as features maps, input or output by the groups, and/or operations of the groups, e.g. runnable code, executables, configurations of the groups, and/or class definitions used for classification, that is considered subjectively acceptable.

In an implementation, the threshold privacy score is a pre-determined value stored in the memory. For example, the threshold privacy score may be specified by the designer of the neural network based on a degree of privacy risk considered commercially acceptable. A predetermined value may advantageously be a relatively simple means of defining the acceptable risk, and provide certainty that the specified level of risk will not be exceeded. Further, using a predetermined value may advantageously be relatively more robust and less susceptible to corruption than other methods of generating the threshold privacy score, for example, dynamic generation of the score.

In an implementation, the computing device is further configured to determine the threshold privacy score by evaluating a privacy risk associated with performance of operations of the set of one or more consecutive groups of operations by the further computing device.

For example, the threshold privacy score may be based on the perceived trustworthiness of the further computing device, and/or the security of the data connection between the computing device and the further computing devices. For example, if the further computing device is operated by an untrustworthy third party, the threshold privacy score may be reduced to thereby ensure that only very low risk layers are offloaded. This may thus optimise a balance between performance of the neural network and the privacy risk associated with offloading operations of the neural network to the further computing device.

In an implementation, the computing device is further configured to, in response to the sum of the performance scores associated with the set of one or more consecutive groups not being determined acceptable, determine a sum of performance scores associated with a subset of one or more consecutive groups of the set of one or more consecutive groups including a last group of the set of one or more consecutive groups , and compare the sum of performance scores associated with the subset of one or more consecutive groups to the threshold performance score and determine if the sum of the performance scores associated with the subset of one or more consecutive groups is acceptable compared to the threshold performance score.

In other words, if the set of one or more consecutive groups is found to require a level of computational resource exceeding the available computational resource of the computing device, as indicated by the sum of performance scores of the set of groups not being determined acceptable, the method may comprise exclude one or more initial groups of the set of groups, such that the subset comprises fewer groups of operations. Fewer groups of operations may be expected to require a correspondingly lower level of computational resource for execution. Performances scores of the subset of groups are again summed and compared to the threshold score, to determine if the subset of groups can be supported by the computing resource of the computing device.

In an implementation, the computing device is further configured to, in response to the one or more privacy scores associated with one or more groups of the set of one or more consecutive groups not being determined acceptable, compare one or more privacy scores associated with one or more groups of a subset of the one or more consecutive groups of the set of one or more consecutive groups including a last group of the set of one or more consecutive groups to the threshold privacy score and determine if the one or more privacy scores associated with the one or more groups of the subset of one or more consecutive groups is acceptable compared to the threshold privacy score.

In other words, the method may comprise comparing privacy scores of the set of one or more groups to the threshold privacy score, and if the privacy scores are not determined to be acceptable in comparison, reducing the number of groups to form a subset of groups, and repeating the comparison until a subset of groups with acceptable privacy scores are identified. Ideally, the same subset of groups will undergo both the performance score comparison and the privacy score comparison. This may advantageously ensure that the subset of groups have undergone, and passed, both checks.

In an implementation, the computing device is further configured to, in response to the sum of the performance scores associated with the subset of one or more consecutive groups and/or the privacy scores associated with the one or more groups of the subset of one or more consecutive groups being determined acceptable, flag operations of the subset of groups for performance on the computing device.

In an implementation, the computing device is further configured to, in response to the sum of the performance scores associated with the subset of one or more consecutive groups and/or the privacy scores associated with the one or more groups of the subset of one or more consecutive groups being determined acceptable, perform operations of the subset of groups. In an implementation, the computing device is further configured to perform one or more of the feature extraction operations (i.e. first feature extraction operations) on the input data and output a feature map representing the input data resulting from performing the one or more feature extraction operations to the further computing device.

In other words, the computing device may perform preliminary feature extraction operation on the input data locally, i.e. on the computing device itself, and only output to the further computing device a feature map representing the input data generated by the preliminary feature extraction operations. Advantageously, this means that the raw input data is not required to be shared with the further computing device; the further computing device receives only the feature map generated by the feature extraction operation(s), thereby reducing the risk of misappropriation or other exposure of the, potentially confidential, raw input data by the further computing device.

In an implementation, the computing device is further configured to, determine a further threshold performance score, determine a sum of performance scores associated with a further set (i.e. a second set) of one or more consecutive groups of the groups of operations including a first groups in the order, and compare the sum of performance scores associated with the further set of one or more consecutive groups to the further threshold performance score and determine if the sum of the performance scores associated with the further set of one or more consecutive groups is acceptable compared to the further threshold performance score.

In an implementation, the computing device is further configured to determine a further threshold privacy score, and compare one or more privacy scores associated with one or more groups of the further set of one or more consecutive groups to the further threshold privacy score and determine if the one or more privacy scores associated with the one or more groups of the further set of one or more consecutive groups is acceptable compared to the further threshold privacy score. In an implementation, the comparing one or more privacy scores associated with the one or more groups of the further set of groups to the further threshold privacy score and determining if the one or more privacy scores associated with the one or more groups of the further set of one or more consecutive groups is acceptable compared to the further threshold privacy score comprises comparing privacy scores associated with a respective one of a first group and a last group of the further set of groups to the further threshold privacy score and determining if the privacy scores associated with each of the first group and the last group of the further set of groups is acceptable compared to the further threshold privacy score.

The privacy score of the first group of the further set of groups may typically be expected to be the greatest, i.e. indicating the greatest privacy risk, because it receives input data and outputs data that is most similar to the input data. The risk of recovery of the input data, which may be confidential, from the inputs/outputs of the first group of the further set of groups is thus likely to be the greatest. Consequently, comparing the privacy score of a group of layers, i.e. the subset of layers, to the threshold privacy score, ensures that in likelihood the privacy scores of all of the layers of the group will be acceptable.

In an implementation, the computing device is further configured to, in response to the sum of the performance scores associated with the further set of one or more consecutive groups and/or the one or more privacy scores associated with the one or more groups of the further set of one or more consecutive groups being determined acceptable, flag operations of the one or more groups of the further set of groups for performance on the computing device.

In an implementation, the computing device is further configured to, in response to the sum of the performance scores associated with the further set of one or more consecutive groups and/or the one or more privacy scores associated with the one or more groups of the further set of one or more consecutive groups being determined acceptable, perform operations of the one or more groups of the further set of groups. In other words, where the computing device has sufficient free computational resource, the computing device may perform preliminary feature extraction operation (i.e. first feature extraction operation) on the input data, i.e. the group of feature extraction operations including the first group of the further set of groups, and output to the second computing device an intermediate representation (i.e. a first intermediate representation) of the input data generated by the preliminary feature extraction operations. Advantageously, this means that the raw input data is not required to be shared with the second computing device, thereby reducing the risk of misappropriation or other exposure of the raw input data by the second computing device

In an implementation, the input data comprises at least one of image data, video data and audio data. In other words, the computing device is configured for classifying image, video or audio data. The method may be particularly useful for classification of input image data. Input image data may require a particularly high level of computational resource, such as processor capacity, due to the inherent richness of image data. The method may thus allow for the required high demand for computational resource to be safely shared between the computing devices. For example, the input data may be an image of a person’s face, and a classification task may involve prediction of the subject’s identity by reference to class definitions such as biometric information. As an example alternative, the input data may be finger-print data, either in the form of image data or another form of data, and the computing device may be configured to classify input finger-print data using the neural network to identify a finger-print.

In an implementation, each of the one or more feature extraction operations comprises a convolution operation. This may be particularly advantageous where the neural network is for classification of input image data, as convolution operations may be particularly effective at extracting features from image data.

A second aspect of the embodiment of the invention provides a computing device for classifying input data, the computing device comprising: a memory storing machine- readable instructions defining one or more feature extraction operations, wherein the computing device is configured to, receive input data or a feature map representing the input data from a further computing device; perform one or more of the feature extraction operations stored in memory on the input data or the feature map representing the input data, generate a further feature map representing the input data resulting from the performance of the one or more feature extraction operations; and output the further feature map representing the input data to the further computing device.

In an implementation, the computing device is further configured to receive from the further computing device the machine-readable instructions defining the one or more feature extraction operations of the neural network.

A third aspect of the embodiment of the invention provides a method for classifying input data using a neural network, the method comprising receiving input data using a computing device and outputting the input data or a feature map representing the input data to a further computing device, receiving, using the computing device, a further feature map representing the input data from the further computing device, and performing on the computing device one or more feature classification operations of the neural network on the further feature map representing the input data.

A fourth aspect of the embodiment of the invention provides a method for classifying input data using a neural network, the method comprising: receiving, using a computing device, input data or a feature map representing the input data from a further computing device; performing, using the computing device, one or more feature extraction operations of the neural network on the input data or the feature map representing the input data, generating a further feature map representing the input data resulting from the performance of the one or more feature extraction operations; and outputting the further feature map representing the input data to the further computing device.

A fifth aspect of the embodiment of the invention provides a computer program comprising instructions, which, when executed by a computing device, cause the computing device to perform the method of the third aspect or the fourth aspect. A sixth aspect of the embodiment of the invention provides a computer-readable data carrier having the computer program of the fifth aspect stored thereon.

These and other aspects of the embodiment of the invention will be apparent from the embodiment(s) described below.

Brief Description of the Drawings

In order that the embodiment of the invention may be more readily understood, embodiments of the embodiment of the invention will now be described, by way of example, with reference to the accompanying drawings, in which:

Figure 1 shows schematically an example of a computing system embodying an aspect of the embodiment of the invention;

Figure 2 shows schematically first and second computing devices of the computing system identified with reference to Figure 1;

Figure 3 shows processes of a method performed by a computer program run on the first computing device identified with reference to Figure 2 for classifying input data using a neural network classifier;

Figure 4 shows illustratively a neural network model used by the computer program identified with reference to Figure 3;

Figure 5 shows schematically processes involved in offloading layers of the neural network for execution by the second computing device, which include a process of determining an upper partition for the neural network model;

Figure 6 shows schematically processes involved in determining an upper partition for the neural network model; Figure 7 shows schematically another processes involved in determining an upper partition for the neural network model;

Figure 8 shows illustratively a neural network model used by a computer program including partitions partitioning the layers of the neural network model; and

Figure 9 shows illustratively operations performed by the first and second computing devices identified with reference to Figure 2 during execution of the computer program identified with reference to Figure 3.

Detailed Description of the Embodiments

Referring firstly to Figure 1, a computing system 101 of the embodiment of the invention comprises a first computing device, for example a mobile computing device 102, and a second computing device (also named as a further computing device in all embodiments of the invention), for example a remote server 103. The computing system 101 is configured to run a computer program employing a neural network classifier for classification of input data, for example, input text, speech, image or video data.

The mobile computing device 102 may be embodied as a cellular telephone handset configured for communicating wirelessly with remote server 103 via a wireless telecommunication network 106. In the example, mobile computing device 102 comprises an electronic display screen 104 on a front of the cellular telephone handset. The electronic display screen 104 is configured to be ‘touch-sensitive’, for example, as a capacitive touch screen, so as to be receptive to a user input and thereby function as a human-machine interface between the computer program running on the mobile computing device 102 and a user. Mobile computing device 102 may further comprise an optical camera 105, for example, a CCD device, located on a rear of the cellular telephone handset, for capturing optical images. A function of mobile computing device 102 is to receive input data for classification. In the particular example, the mobile computing device 102 receives optical image data via the onboard optical camera 105. However, mobile computing device 102 may permissibly be substituted for an alternative computing device capable of performing the function of receiving image data, for example, a non-mobile computing device, and the various functional components of the computing device 102, such as the display screen 104, may alternatively be replaced by alternative components for fulfilling alternative functions, or omitted entirely if not needed for a particular application. Indeed, the particular form of the computing device 102 may be changed in alternative embodiments to suit reception of the particular type of data to be classified. For example, in an alternative embodiment in which the input data to be classified is text data received via the communication network 106, the mobile computing device 102 may be substituted for a non-mobile computing device without the optical camera 105. The particular embodiment described in detail herein is thus given as an example only, and other embodiments of mobile computing device 102 may be taken into consideration by a person skilled in the art without departing from the invention.

In an embodiment, remote server 103 is configured as a ‘cloud’ -based computing resource. The remote server 103 may thus be located remotely of the mobile computing device 102, for example, in a remote data centre. The remote server 103 is configured to communicate, e.g. exchange data, with the mobile computing device 102 via the wireless network 106.

Referring in particular to Figure 2, mobile computing device 102 and remote server 103 each comprise computational resource for executing tasks of a computer program run on the mobile computing device 102.

Mobile computing device 102 comprises central processing unit 201, flash memory 202, random-access memory 203, communication unit 204, battery 205, input/output interface 206, and system bus 207. Mobile computing device 102 is configured to run a computer program for classification of input data using a neural network classifier model, which is a model trained for classifying input data. The communication unit 204 may include a baseband chip and/or a WiFi chip. Central processing unit 201 is configured for execution of instructions of a computer program. Flash memory 202 is configured for non-volatile storage of computer programs for execution by the central processing unit 201. Random-access memory 203 is configured as read/write memory for storage of operational data associated with computer programs executed by the central processing unit 201. Communication unit 204 is provided for interfacing the mobile computing device 102 with the wireless telecommunication network. Battery 205 is provided for supplying electrical power to electrical consumers of the mobile computing device, such as central processing unit 201 and/or communication unit 204. Input/output interface 206 is provided for connection of the electronic display screen 104, optical camera 105, and a wireless transceiver for communicating via the wireless network. The components 201 to 206 of the mobile computing device 102 are in communication via system bus 207.

The flash memory 202 has a computer program for classifying input data using a neural network stored thereon. The mobile computing device 102 is thus configured, in accordance with the instructions of the computer program, to receive input data via the input/output interface 206, for example, input image data from the connected camera 105, and process the input data on the central processing unit 201 using a neural network trained for a classification task to thereby generate one or more classification predictions for the input data, e.g. the content of the input image data. The mobile computing device 102 is then configured to output the classification predication(s), for example, for display to a user of the mobile computing device via the display screen 104 connected to the input/output interface 206. For example, a prompt (callout with text in bubble) like “Face ID Verified Successfully” may be show on the screen. In an exemplary embodiment, the computer program stored in flash memory 202 is configured for identification of persons in input image data with reference to stored biometric information, such as information defining facial features. For example when authenticating a user, the mobile computing device 102 captures an image of the user using the camera, performs feature extraction and classification together with the further computing device 103 as defined in any embodiment of the invention, outputs the classification predication of the user. The classification predication is compared with the stored information defining facial features to determine whether the user is a legal or authorized user. Flash memory 202 may alternatively be substituted for an alternative type of memory.

As shown in Figure 2, remote server 103 comprises central processing unit 201’, flash memory 202’, random-access memory 203’, input/output interface 206’, and system bus 207’. Unlike mobile computing device 102, remote server 103 comprises a power supply 208 for connection to a source of mains electrical power, in place of the battery 205 of mobile computing device 102. Remote server 103 may comprise a wireless transceiver 204’ connected to input/output interface 206’, for communicating with the mobile computing device 102 via the wireless network.

Referring next in particular to Figure 3, the computer program for classifying input data using a neural network classifier, stored on the flash memory 202 of the mobile computing device 102, comprises five stages.

At stage 301, the computer program causes the central processing unit 201 to obtain and load a deep neural network model trained for the intended classification task stored in the flash memory 202. Stage 301 may, for example, comprise an initial stage of building and training a neural network model for the classification task, and storing the trained model in the flash memory 202. As an exemplary alternative, stage 301 may comprise obtaining a pre-trained neural network classifier model that is already stored in flash memory 202. In the embodiment, an example of the deep neural network model is a convolutional neural network model for an image classification task.

At stage 302, the computer program causes the central processing unit 102 to partition the neural network model obtained at stage 301, and offload, i.e. transmit, computational operations, e.g. convolutional operations, of one or more layers of the neural network model to the remote server 103 for execution by the CPU 201’ of the remote server. The transmitted computational operations may comprise data defining the configuration of the relevant one or more layers. Therefore the remote server 103 has a neural network model to perform the operations expected by the mobile computing device 102. For example, the data defining the configuration of the relevant one or more layers include meta data or executable data that describes neural network layout, i.e. architecture of one or more network layers that will run on the server side. Optionally, the data defining the configuration of the relevant one or more layers may further include related portion of the network configuration (weights) needed for proper network functioning.

At stage 303, the computer program causes the central processing unit 201 of the mobile computing device 102 to receive input data for classification by the neural network classifier model. For example, this stage may involve the central processing unit 201 outputting a command to the camera 105 connected to the input/output interface 206 to capture an optical image. Stage 303 may thus, possibly, be initiated in response to a user input via the touch-sensitive display screen 104. As an exemplary alternative, this stage may involve the central processing unit 201 receiving input data for classification sent from an external device. For example, the central processing unit 201 outputs a command to the external device connected to the input/output interface 206 to cause the connected device to return input data for classification.

At stage 304, the computer program causes the central processing units 201, 201’ of the mobile computing device 102 and remote server 103 respectively, to execute respective operations of the neural network model on the input data received at stage 303. For example, the central processing unit 201 of the mobile computing device 102 does some local processing and sends intermediate features vector to the remote server 103. Then the central processing units 201’ of the remote server 103 processes the intermediate features vector (not the original input data) to obtain features vector and return the obtained features vector back to the mobile computing device 102. At the conclusion of processes of stage 304 by the central processing unit 201’ of the remote server 103, i.e. when remote server 103 has executed all of the operations offloaded to it at stage 302, the computer program causes the remote server 103 to return resultant data to the mobile computing device 102 for storage in random access memory 203.

At stage 305, the computer program causes the mobile computing device 102 to output classification prediction(s) obtained by execution of the neural network classifier model for the received input data. For example, this stage may involve the mobile computing device 102 outputting the classification predictions in visual form via the display screen 104.

Referring next to Figure 4, the neural network classifier model obtained at stage 301 comprises a succession of discrete layers of computational operations, in the example, four layers 401, 402, 403 and 404, for operating successively on input image data 405.

The first three layers, 401 to 403, of the neural network model are convolutional operators, and form a feature extraction stage for progressively extracting features, such as edges and gradients, from the input image data 405. The image data 405 is thus input into the first convolutional feature extraction layer, layer 401. Computational operations of the first layer 401 perform feature extraction operations on the input data, based on trained weights and other parameters, and outputs an intermediate representation (i.e. a first intermediate representation), in the form of feature map 1, of the input image. The feature map 1 is fed as an input into the second layer 402, which in turn performs convolutional feature extraction operations on the feature map 1, and outputs a second feature map, feature map 2. And similarly, the third feature extraction layer 403 takes the feature map 2 as an input, and outputs feature map 3. It should be understood that whilst in the example the neural network model comprises just three feature extraction layers, 401 to 403, in practice the model may typically comprise many more successive layers, to thereby improve the completeness of the feature extraction task.

The fourth layer, layer 404, is a fully-connected classification layer, which forms a classification stage of the model. The fourth layer 404 is thus trained for prediction of one or more classifications for the input data, based on the features of the input data extracted during the feature extraction stage, as codified in the feature map 3, and predefined classification definitions. In the example, the neural network model is employed for identification of a person in an image. Thus, in addition to the feature map 3, the fully- connected classification layer 404 will also have as an input classification definitions, such as predefined biometric information, to permit inference of an identity of a subject based on extracted features of the image data. An output of the fourth layer 404, is the predicted classifications, which may for example be a probability matrix defining probabilities of the input image data belonging to plural classifications, i.e. the probabilities of the subject of the input image data having specific identities.

Each of the layers 401 to 404 of the neural network model has assigned thereto individual predetermined performance and privacy scores. The performance score of each layer quantifies a computational resource, specifically a computational processor capacity, required for complete execution of all operations of the respective layer. In the example, the performance score of each layer is a predefined value manually assigned by a designer of the neural network model. In the schema of the example, a high performance score is taken to denote a high level of computational resource required for execution of operations of the layer.

The privacy score of each layer quantifies a privacy risk associated with inputs, outputs or operations of the layer. More particularly, the privacy score of each layer codifies a perceived harm associated with a loss of privacy of the inputs, outputs or operations of the layer. In other words, the privacy score of each layer represents a perceived level of confidentiality of the inputs/outputs/operations of the layer. Similarly, in the example, a privacy score is manually assigned to each of the layers by a designer of the neural network model, and a high privacy score indicates highly confidential information representing a high privacy risk.

Referring next to Figure 5, the method of stage 302 for offloading layers of operations of the neural network model to the remote server 103 comprises three stages.

At stage 501, a determination is made for a placement of an upper partition, i.e. a partition demarcating a last layer of the neural network model to be offloaded to the remote server 103.

At stage 502, a determination is made for a placement of a lower partition, i.e. a partition demarcating a first layer of the neural network model to be offloaded to the remote server 103. The upper partition determined at stage 501, and the lower partition determined at stage 502, thus divide the layers of the neural network model into three parts. A first subset of the layers that are successively after the upper partition, i.e. upper layers, a second subset of the layer that are successively before the lower partition, i.e. lower layers, and a third subset of the layers that are located successively after the lower partition but before the upper partition, i.e. intermediate layers.

The significance of these three groups of layers is that the privacy scores of the layers of the neural network are likely to differ.

Most particularly, the upper layers of the neural network model, and in particular the fully -connected classification layer 404, may be expected to have a relatively high privacy score, indicating a perceived high level of confidentiality associated with the inputs, outputs or operations of the layer. In this regard, it is to be understood that the fully- connected classification layer 404 will receive as an input aggregated and composite feature information extracted by the layers of the preceding features extraction stage. This aggregated feature information may be considered highly confidential for the reason that this data may provide a relatively complete representation of the input data, in the example, of the input image data 405. Where the input image data includes personally identifiable information, as in the example where the input image data is a photograph of a person, it may be highly undesirable for this aggregated feature information to be misappropriated by a third party or otherwise exposed.

Further, the fully-connected classification layers will additionally receive as an input classification definitions for use in the inference operations, and these classification definitions may in themselves contain confidential information. Notably, in the example classification task, the classification definitions may comprise biometric data and personally identifiable information, such as names, of persons relevant to the identification task. Such classification definitions may thus be considered highly confidential. Further, the classifications layer 404 has as an output the classification predictions, which may themselves be considered confidential. Furthermore, the classification layer 404 may comprise proprietary computational operations trained for the classification task, which may be considered commercially confidential and intended to be maintained as a trade secret. Upper layers of the neural network model may thus be assigned relatively high privacy scores. It may therefore be desirable to avoid offloading to the remote server upper layers of the remote server, and in particular, classification layers, in order to reduce the risk of misappropriation, or other exposure, of the various heads of confidential information associated with those layers. This may be a particular concern where the remote server 103 is operated by an untrusted third party, or where the wireless network used for transmitting data between the mobile computing device 102 and the remote server 103 is insecure.

Moreover, the lower layers of the neural network model, most notably the first layer 401, has as an input the actual input image data 405, and as an output the feature map 1 representing the input data following the single layer of feature extraction operations. The input image data may be considered highly confidential, for the reasons discussed above. Further, the feature map 1, representing feature information after only a single layer of operations, may still be highly representative of the input image data, and it may possible for significant features of the input image data to be recovered by a ‘reverse-engineering’ technique performed on the feature map 1. Lower layers of the neural network model may thus also be assigned relatively high privacy scores, denoting a high privacy risk associated with inputs, outputs or operations of the layers. It may thus similarly be considered desirable to avoid offloading to the remote server the lower layers of the neural network model.

In contrast, the intermediate layers of the neural network, located between the upper and lower partitions of the neural network model, may each have relatively low privacy scores. This reflects the reality that each of these intermediate layers has knowledge of only a relatively small amount of relatively anonymous data. In particular, each of the intermediate layers has, as an input and an output, only an intermediate representation of the input image data, i.e. a feature map defining a narrow class of features of the input data. Accordingly, the intermediate layers may have relatively low privacy scores, representing a relatively low level of perceived harm that may result from misappropriation or exposure of the inputs, outputs or operations of the intermediate layers.

Thus, at stage 503 of the method, following determination of the upper and lower partitions of the neural network, the intermediate layers of operations of the neural network model may be offloaded to the remote server 103 for execution.

Referring next to Figure 6, the method of stage 501 for determining a placement of an upper partition in the neural network model comprises eight stages.

At stage 601, an arbitrary initial position of the upper partition is considered. Optionally, starting position of the upper partition may be a fixed position (e.g. the middle layer) that is determined using optimization algorithm or is defined in system configuration.

At stage 602, threshold performance and privacy scores are determined. In the context of the task of offloading layers of operations of the neural network model to the remote server for execution, determining the threshold performance score may comprises dynamic evaluation of the free (i.e. available) computational resource, e.g. processor capacity, of the remote server. Similarly, determining a threshold privacy score may comprise a manual evaluation of the perceived trustworthiness of the operator of the remote server, and/or a measure of security of the wireless network communicating the mobile computing device and the remote server.

At stage 603, a sum of the performance score of upper layers of the neural network, i.e. layers of operations successively after the upper partition, is determined.

At stage 604, the sum of performance scores determined at stage 603 is compared to the threshold performance score determined at stage 602.

At stage 605, based on the comparison at stage 604, an assessment is made as to whether the sum of performance scores of the layers is acceptable compared to the threshold performance score. For example, this stage may comprise a check that the sum of performance scores does not exceed the threshold performance score. As an exemplary alternative, this stage may comprise a check that that sum of performance scores is within a specific range of values relative to the threshold performance score. If the determination at stage 605 is answered in the affirmative, indicating that the sum of performance scores is considered acceptable, e.g. that the computational demand of the layers is less than the free computational resource of the second computing device, the computer program proceeds to run stage 606 of the method.

Alternatively, if the determination at stage 605 is answered in the negative, indicating that the sum of the performance scores is not considered acceptable compared to the threshold performance score, e.g. because the computational demand of the layers after the upper partition exceeds the free computational resource of the remote server, the computer program returns to stage 601. In this event, on return to stage 601, the upper partition is repositioned by moving the partition rightwards, such that the number of upper layers of operations is reduced, and the number of intermediate layers is correspondingly increased. The expectation of this repositioning of the partition is that the summed computational demand of the reduced number of upper layers may be correspondingly reduced. The method of stages 601 to 605 is thus repeated until the check at stage 605 is answered in the affirmative, at which time the method proceeds to stage 606. For example, the mobile computing device 102 obtains pre-defined lowest and upmost boundaries that limit the position moves, starts the upper partition with the lowest boundary, and adds layers till crossing the threshold of performance or security risk.

At stage 606, a comparison is made between the privacy score of each of the upper layers of the neural network and the threshold privacy score.

At stage 607, based on the comparison made at stage 606, a check is made as to whether the privacy score of each of the layers after the upper partition is considered acceptable compared to the threshold privacy score. For example, where the threshold privacy score defines a maximum acceptable level of risk, stage 607 may comprise checking that the privacy risk of each of the upper layers, as codified by the respective privacy scores of the layers, does not exceed the threshold privacy score. If the check at stage 607 is answered in the affirmative, indicating that the privacy scores of the layers are considered acceptable, the computer program proceeds to implement stage 608 of the method.

In the alternative, if the check at stage 607 is answered in the negative, indicating that the privacy scores of one or more of the layers are not considered acceptable, the computer program returns to execution of stage 601, whereby the upper partition is repositioned to reduce the number of upper layers, and the processes of staged 602 to 607 repeated, until the question at stage 607 is answered in the affirmative, indicating that the privacy scores are considered acceptable. Optionally, the process goes from 601 to 606 and then to 607. That is, the processes of staged 601, 606 and 607 is repeated, until the question at stage 607 is answered in the affirmative.

At stage 608, the position of the upper partition is set and stored in memory of the first computing device 102.

Referring still to Figure 6, the method of stage 502 for determining a placement of a lower partition in the neural network model may be implemented using a modified version of the method of stages 601 to 602.

In the modification, the summing operation at stage 603 may be modified to sum performance scores of lower layers of the neural network, i.e. layers that are successively before the lower partition. A similar modification may be made to the process of stage 606, such that at stage 606 the privacy scores of lower layers of the neural network model are compared to the threshold privacy score.

Referring next to Figure 7, another example of stage 501 for determining a placement of an upper partition in the neural network model. In this method, private data is concentrated in the higher layers since low layers are focused on classification of the generic features and only in the higher levels small details start to connect into full picture of the person. That is, lower the layer, lower the risk of disclosure of the proprietary information. So the upper partition of this example starts with less risky low layers and layers are added to upper layers one by one till reaching maximal allowed privacy “exposure” level. After reaching maximal acceptable privacy impact threshold, it is checked if the upper layers satisfy performance conditions and finalize partition composition if the performance conditions are satisfied. If the performance capabilities are exceeded, highest layers are removed one by one till crossing performance threshold back. There is no need to re-evaluate privacy impact since by removing layers from offload partition we can only improve privacy protection.

At stage 701, threshold performance and privacy scores are determined, which is same or similar to the stage 602 above.

At stage 702, an initial position of the upper partition is set same as the lower boundary. That is, at this time the layers of the neural network are divided into two parts, namely the upper layers and the lower layers.

At stage 703, the upper partition is moved upwards by 1 layer. That is, at this time the layers of the neural network are divided into three parts, namely the upper layers, the middle layer including one layer, and the lower layers. The number of the lower layers is one less than that at stage 702.

At stage 704, a sum of privacy scores of layers between lower and upper positions is calculated.

At stage 705, a comparison is made between the sum of privacy scores calculated at stage 704 and the threshold privacy score determined at stage 701.

At stage 706, based on the comparison made at stage 705, a check is made as to whether the sum of privacy scores calculated at stage 704 is acceptable compared to the threshold privacy score.

For example, where the threshold privacy score defines a maximum acceptable level of risk, stage 706 may comprise checking that the total privacy risk of all of the middle layers does not exceed the threshold privacy score. If the check at stage 706 is answered in the affirmative, indicating that the privacy scores of the layers are considered acceptable, the method goes back to implement stage 703 to move the upper partition one layer up. That is, at stage 703, one layer is removed from to the upper layers and is added to the middle layers.

The processes of staged 703 to 706 repeated, until the question at stage 706 is answered in the negative.

In the alternative, if the check at stage 706 is answered in the negative, indicating that the sum of privacy scores is not acceptable, the method goes to execution of stage 708, whereby the upper partition is repositioned, namely move the upper position 1 layer down. That is, at stage 708, one layer is removed from to the middle layers and is added to the upper layers to make the sum of privacy scores of the middle layers be acceptable.

At stage 709, sum performance scores of the middle layers between lower and upper position is calculated.

At stage 710, the sum of performance scores calculated at stage 709 is compared to the threshold performance score obtained at stage 701 to determine whether or not the sum of performance scores determined at stage 709 is acceptable (namely below the performance threshold).

If the check at stage 710 is answered in the negative, indicating that the sum of privacy scores is not acceptable, the method goes back to execution of stage 708, whereby the upper partition is repositioned again, namely move the upper position 1 layer down again. That is, at stage 708, one more layer is removed from to the middle layers and is added to the upper layers.

The processes of staged 708 to 710 repeated, until the question at stage 710 is answered in the affirmative to make the sum of performance scores of the middle layers be acceptable. If the check at stage 710 is answered in the affirmative, indicating that the sum of privacy scores is acceptable and the upper partition is finished. The position of the upper partition may be stored in memory of the first computing device 102.

Referring still to Figure 7, the method of stage 502 for determining a placement of a lower partition in the neural network model may be implemented using a similar or same version of the method of stages 701 to 710.

Referring next to Figure 8, following stage 501, upper and lower partitions 701, 702, respectively, partition the layers of the neural network model into lower, intermediate, and upper parts.

The first layer 401 of the neural network model, being located successively before the lower partition 802, may be retained for execution on the central processing unit 201 of the mobile computing device 102. This advantageously avoids the requirement to share the input into the first layer 401(e.g. the input image data 405) with the remote server 103. Instead, only the first intermediate representation of the input image data, in the form of feature map 1, is shared with the remote server 103.

The second and third layers, 402, 403 respectively, of the neural network model, being located between the lower partition 802 and the upper partition 801, may be offloaded to the remote server 103 for execution, thereby utilising computational resource of the remote server 103, and conserving computational resource of the mobile computing device 102. Thus, data defining the configuration of the second and third layers 402, 403, and the feature map 1, is transmitted by the mobile computing device 102 to the remote server 103, to facilitate execution of operations of the second and third layers. An output of the third layer 403 on the remote server 103 is a further intermediate representation (i.e a second intermediate representation) of the input image data, i.e. feature map 3, which may be returned to the mobile computing device 102 via the wireless network. The fourth layer 404 of the neural network model, i.e. the fully-connected classification layer, being located successively after the upper partition 801, may be retained for execution on the mobile computing device 102. This advantageously avoids the requirement to share the classification definitions used by the classification layer 404, and/or the classification predictions output by the classification layer 404, with the remote server 103. The fourth layer 404 thus takes as an input the feature map n output by the third layer 403, in addition to predefined classification definitions stored in flash memory 202 of the mobile computing device 102, and outputs one or more classification predictions for the input image data. In the specific example, the classification predictions may be identity predictions for the subject of the input image data 405.

Referring finally to Figure 9, by the method, computational processes involves in classifying input data using a neural network classifier are distributed between the mobile computing device 102 and the remote server 103.

This distribution may advantageously increase the computational resource available for executing operations of the neural network model, thereby desirably reducing the rim required for execution of the model, and/or enabling execution of a more complex neural network model for the classification task. However, because only certain layers of the neural network model are offloaded to the remote server, the volume of information shared with the remote server may be maintained relatively low. Consequently, the privacy of the information may be protected. In particular, because the classification operations of the neural network classifier are retained for execution on the mobile computing device, highly confidential information, such as classification definitions and classification predictions, associated with the classification operations is not required to be shared with the remote server, and thus the risk of misappropriation or other exposure of those items of data is reduced.

Referring finally to Figure 9, as previously described, at stage 301, the computer program run by mobile computing device 102 causes the central processing unit 201 of mobile computing device 102 to obtain and load a deep neural network model trained for the intended classification task. At stage 900, threshold performance and privacy scores are statically determined by the mobile computing device 102. At parallel stages 501 and 502 respectively and explained above, a determination is made for a placement of an upper partition, i.e. a partition demarcating a last layer of the neural network model to be offloaded to the remote server 103, and a determination is made for a placement of a lower partition, i.e. a partition demarcating a first layer of the neural network model to be offloaded to the remote server 103. As explained before, each of stages 501 and 502 includes stage 602 for determining dynamic threshold performance and privacy scores using run time performance tests. So stage 900 is optional if stage 602 is performed. Optionally, stage 602 may be omitted if stage 900 is performed.

At stage 503, following partitioning of the neural network model at stages 501, 502 using the mobile computing device 102, the intermediate operations of the neural network model are offloaded to the remote server 103. At stage 303, the computer program causes the central processing unit 201 of the mobile computing device 102 to receive input data for classification by the neural network classifier model. At stage 901, the intermediate operations are loaded onto the central processing unit 201’ of the remote server 103. At stage 902, lower layers of the neural network model are executed on the mobile computing device 102, resulting in generation of feature map 1. At stage 903, feature map 1 is transmitted, via the wireless communication network, to the remote server 103. At stage 904, the intermediate layers of the neural network are executed on the remote server 103 based on the feature map 1, resulting in generation of feature map n. At stage 905, feature map n is transmitted back to the mobile computing device 102, via the wireless network. At stage 906, the upper layers of the neural network model are executed on the mobile computing device, based on the feature map n. Finally, at stage 305, the computer program causes the mobile computing device 102 to output classification predict! on(s) obtained by execution of the neural network on the received input data.

Although embodiment of the present invention and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the scope of the invention as defined by the appended claims. _In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality.

Claims

Claims

1. A computing device for classifying input data, the computing device comprising: a memory configured to store machine-readable instructions defining a neural network comprising one or more feature classification operations, wherein the computing device is configured to: receive input data; output the input data or a feature map representing the input data to a further computing device; receive, from the further computing device, a further feature map representing the input data; and perform one or more of the feature classification operations of the neural network defined in the memory on the further feature map representing the input data to obtain a classification prediction for the input data.

2. The computing device of claim 1, the computing device is further configured to generate a classification prediction for the input data by performing the one or more feature classification operations defined in the memory.

3. The computing device of claim 2, wherein the memory is further configured to store machine-readable classification definitions, and the computing device is further configured to: access one or more of the machine-readable classification definitions stored in the memory; and generate the classification prediction for the input data by performing the one or more feature classification operations defined in the memory based on one or more of the machine-readable classification definitions stored in the memory.

36

4. The computing device of any one of the preceding claims, wherein the memory is further configured to store intermediate results of the neural network, and machine- readable rules defining: groups of one or more of the feature extraction and/or feature classification operations, each group having associated performance score representing a magnitude of a computational resource for computing the one or more operations of the group, and/or a privacy score representing a privacy risk associated with inputs, outputs or the operations of the group; an order for performance of the groups of the operations; and sources of operands for each group of operations in which operations of a first group in the order operate on the input data and operations of each subsequent group of operations in the order operate on one or more outputs of a preceding group of operations.

5. The computing device of claim 4, further configured to: determine a threshold performance score; determine a sum of performance scores associated with a set of one or more consecutive groups of the groups of the operations including a last group in the order; and compare the sum of performance scores associated with the set of one or more consecutive groups to the threshold performance score and determine if the sum of the performance scores is acceptable compared to the threshold performance score.

6. The computing device of claim 5, further configured to: determine a threshold privacy score; and compare one or more privacy scores associated with one or more of the groups of the set of one or more consecutive groups to the threshold privacy score and determine if a privacy score associated with one or more groups of the set of one or more consecutive groups is acceptable compared to the threshold privacy score.

37

7. The computing device of claim 6, wherein comparing one or more privacy scores associated with one or more groups of the set of one or more consecutive groups to the threshold privacy score and determining if a privacy score associated with the one or more groups of the set of one or more consecutive groupsis acceptable compared to the threshold privacy score comprises comparing a privacy score associated with each group of the set of one or more consecutive groups to the threshold privacy score and determining if the privacy score associated with each group of the set of one or more consecutive groups is acceptable compared to the threshold privacy score.

8. The computing device of claim 6, wherein comparing one or more privacy scores associated with one or more groups of the set of one or more consecutive groups to the threshold privacy score and determining if a privacy score associated with the one or more groups of the set of one or more consecutive groups is acceptable compared to the threshold privacy score comprises comparing privacy scores associated with a respective one of a first group and a last group in the set of one or more consecutive groups to the threshold privacy score and determining if the privacy scores associated with each of the first group and the last group of the set of one or more consecutive groups is acceptable compared to the threshold privacy score.

9. The computing device of any one of claims 5 to 8, further configured to, in response to the sum of the performance scores associated with the set of one or more consecutive groups and/or the one or more privacy scores associated with one or more of the groups of the set of one or more consecutive groupsbeing determined acceptable, flag operations of the one or more groups of the set of one or more consecutive groups for performance on the computing device.

10. The computing device of any one of claims 5 to 9, further configured to, in response to the sum of the performance scores associated with the set of one or more consecutive groups and/or the privacy scores associated with one or more of the groups of the set of one or more consecutive groups being determined acceptable, perform operations of the one or more groups of the set of one or more consecutive groups.

11. The computing device of any one of claims 5 to 10, wherein the threshold performance score is representative of a computational processing capability of the computing device.

12. The computing device of any one of claims 5 to 11, wherein the threshold performance score is a pre-determined value stored in the memory.

13. The computing device of any one of claims 5 to 11, further configured to determine the threshold performance score by evaluating a computational resource of the computing device.

14. The computing device of any one of claims 6 to 13, wherein the threshold privacy score is representative of a threshold privacy risk associated with inputs, outputs or operations of the groups of the operations.

15. The computing device of any one of claims 6 to 14, wherein the threshold privacy score is a pre-determined value stored in the memory.

16. The computing device of any one of claims 6 to 14, further configured to determine the threshold privacy score by evaluating a privacy risk associated with performance of operations of the set of one or more consecutive groups of operations by the further computing device.

17. The computing device of any one of claims 5 to 16, further configured to, in response to the sum of the performance scores associated with the set of one or more consecutive groups not being determined acceptable: determine a sum of performance scores associated with a subset of one or more consecutive groups of the set of one or more consecutive groups including a last group of the set of one or more consecutive groups; and compare the sum of performance scores associated with the subset of one or more consecutive groups to the threshold performance score and determine if the sum of the performance scores associated with the subset of one or more consecutive groups is acceptable compared to the threshold performance score.

18. The computing device of any one of claims 6 to 17, further configured to, in response to the one or more privacy scores associated with the one or more groups of the set of one or more consecutive groups not being determined acceptable: compare one or more privacy scores associated with one or more groups of a subset of one or more consecutive groups of the set of one or more consecutive groups including a last group of the set of one or more consecutive groups to the threshold privacy score and determine if the one or more privacy scores associated with the one or more groups of the subset of one or more consecutive groups is acceptable compared to the threshold privacy score.

19. The computing device of claims 17 or 18, further configured to, in response to the sum of the performance scores associated with the subset of one or more consecutive groups and/or the privacy scores associated with the one or more groups of a subset of one or more consecutive groups being determined acceptable, flag operations of the subset of groups for performance on the computing device.

20. The computing device of any one of claims 14 to 16, further configured to, in response to the sum of the performance scores associated with the subset of one or more consecutive groups and/or the privacy scores associated with the one or more groups of a subset of one or more consecutive groups being determined acceptable, perform operations of the subset of groups.

21. The computing device of any one of claims 4 to 20, further configured to perform one or more of the feature extraction operations on the input data and output the feature map representing the input data resulting from performing the one or more feature extraction operations to the further computing device.

22. The computing device of any one of claims 4 to 21, further configured to: determine a further threshold performance score; determine a sum of performance scores associated with a further set of one or more consecutive groups of the group of operations including a first group in the order; and compare the sum of performance scores associated with the further set of one or more consecutive groups to the further threshold performance score and determine if the sum of the performance scores associated with the further set of one or more consecutive groups is acceptable compared to the further threshold performance score.

23. The computing device of claim22, further configured to: determine a further threshold privacy score; and compare one or more privacy scores associated with one or more groups of the further set of one or more consecutive groups to the further threshold privacy score and determine if the one or more privacy scores associated with the one or more groups of the further set of one or more consecutive groups is acceptable compared to the further threshold privacy score.

41

24. The computing device of claim 23, wherein the comparing one or more privacy scores associated with the one or more groups of the further set of groups to the further threshold privacy score and determining if a privacy score associated with one or more groups of the further set of groups is acceptable compared to the further threshold privacy score comprises comparing privacy scores associated with a respective one of first group and a last group of the further set of groups to the further threshold privacy score and determining if the privacy scores associated with each of the first group and the last group is acceptable compared to the further threshold privacy score.

25. The computing device of any one of claims 22 to 24, further configured to, in response to the sum of the performance scores associated with the further set of one or more consecutive groups and/or the one or more privacy scores associated with the one or more groups of the further set of one or more consecutive groups being determined acceptable, flag operations of the one or more groups of the further set of one or more consecutive groups for performance on the computing device.

26. The computing device of any one of claims 22 to 25, further configured to, in response to the sum of the performance scores associated with the further set of one or more consecutive groups and/or the one or more privacy scores associated with the one or more groups of the further set of one or more consecutive groups being determined acceptable, perform operations of the one or more groups of the further set of one or more consecutive groups.

27. The computing device of any one of the preceding claims, wherein the input data comprises at least one of image data, video data, and audio data.

28. The computing device of any one of the preceding claims, wherein each of the one or more feature extraction operations comprises a convolution operation.

42

29. A computing device for classifying input data, the computing device comprising: a memory configured to store machine-readable instructions defining a neural network comprising one or more feature extraction operations; wherein the computing device is configured to: receive input data or a feature map representing the input data from a further computing device; perform one or more of the feature extraction operations of the neural network defined in the memory on the input data or the feature map representing the input data; generate a further feature map representing the input data resulting from the performance of the one or more feature extraction operations; and output the further feature map representing the input data to the further computing device.

30. The computing device of claim 29, further configured to receive from the further computing device the machine-readable instructions defining the one or more feature extraction operations of the neural network.

31. A method for classifying input data using a neural network , the method comprising: receiving input data using a computing device and outputting the input data or a feature map representing the input data to a further computing device; receiving, using the computing device, a further feature map representing the input data from the further computing device; and performing on the computing device one or more feature classification operations of the neural network on the further feature map representing the input data.

43

32. A method for classifying input data using a neural network, the method comprising: receiving, using a computing device, input data or a feature map representing the input data from a further computing device; performing, using the computing device, one or more feature extraction operations of the neural network on the input data or the feature map representing the input data; generating a further feature map representing the input data resulting from the performance of the one or more feature extraction operations of the neural network; and outputting the further feature map representing the input data to the further computing device.

33. A computer program comprising instructions, which, when executed by a computing device, cause the computing device to perform the method of claim 31 or 32.

34. A computer-readable data carrier having the computer program of claim 33 stored thereon.

44